Skip to main content
Log in

Searching for Taint Vulnerabilities with Svace Static Analysis Tool

  • Published:
Programming and Computer Software Aims and scope Submit manuscript

Abstract

This paper is dedicated to finding taint-based errors in the source code of programs, i.e., errors caused by unsafe use of data from external sources, which could potentially be modified by a malefactor. The interprocedural static analyzer Svace is used as a basis. The analyzer searches for both program defects and suspicious points where the logic of the program may be corrupted. The goal is to find as many errors as possible at an acceptable speed and low false positive rate (<20–35%). For this purpose, Svace builds, with the help of a modified compiler, a low-level typed intermediate representation, which is input to the main SvEng analyzer. The analyzer constructs a call graph and then carries out summary-based analysis. In this analysis, functions are traversed according to the call graph, starting from the leaves. Once a function is analyzed, its summary is created, which is then used to analyze call instructions. The analysis has both high speed and good scalability. Intraprocedural analysis is based on symbolic execution with state merging at join points. An SMT solver can be used to filter out infeasible paths for some checkers. In this case, the SMT solver is called only if an error is suspected. The analyzer has been extended to find defects of tainted data use. The checkers are implemented as plugins based on the source–sink scheme. The sources are calls of library functions that receive data from the outside of the program, as well as arguments of the main function. The sinks are accesses to arrays, uses of variables as steps or loop boundaries, and calls of functions that require checked arguments. Checkers that cover most of possible vulnerabilities for tainted integers and strings are implemented. To assess the coverage, the Juliet project is used. The false negative rate ranges from 46.31% to 81.17% with a small number of false positives.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.

Similar content being viewed by others

Notes

  1. Svace with Go support was released in January 2021.

  2. Abbreviated form of Svace Engine.

  3. In this paper, by the DFA, we mean an engine based on data-flow analysis.

  4. Parallel run of checkers can potentially speed up the analysis; however, it significantly complicates the intraprocedural analysis due to the need for synchronization. That is why parallelization is implemented at the level of the call graph: individual functions can be analyzed in parallel, while the analysis within a function is sequential.

  5. In the case of static analysis, all paths that the analysis considers feasible are taken into account. The more accurate the analysis, the more infeasible paths it can filter out.

  6. Generally, it is zero. In some cases, integer overflow can also cause an error.

REFERENCES

  1. Belevantsev, A., Borodin, A., Dudina, I., et al., Design and development of Svace static analyzers, Proc. Ivannikov Memorial Workshop (IVMEM), 2018, pp. 3–9.

  2. Borodin, A. and Belevancev, A., A static analysis tool Svace as a collection of analyzers with various complexity levels, Tr. Inst. Sist. Program. Ross. Akad. Nauk (Proc. Inst. Syst. Program. Russ. Acad. Sci.), 2015, vol. 27, no. 6, pp. 111–134.

  3. Borodin, A., Belevantsev, A., Zhurikhin, D., and Izbyshev, A., Deterministic static analysis, Proc. Ivannikov Memorial Workshop (IVMEM), 2018, pp. 10–14.

  4. Ivannikov, V., Belevantsev, A., Borodin, A., et al., Svace: Static analyzer for detecting of defects in program source code, Tr. Inst. Sist. Program. Ross. Akad. Nauk (Proc. Inst. Syst. Program. Russ. Acad. Sci.), 2014, vol. 26, no. 1, pp. 231–250.

  5. Aleph One, Smashing the stack for fun and profit, Phrack, 1996, vol. 7, no. 49, pp. 14–16.

    Google Scholar 

  6. National Vulnerability Database, CWE Over Time, 2020. https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cwe-over-time. Accessed January 15, 2021.

  7. Landi, W., Undecidability of static analysis, ACM Lett. Program. Lang. Syst., 1992, vol. 1, no. 4, pp. 323–337.

    Article  Google Scholar 

  8. Hind, M., Pointer analysis: Haven’t we solved this problem yet?, Proc. ACM SIGPLAN-SIGSOFT Workshop Program Analysis for Software Tools and Engineering, 2001, pp. 54–61.

  9. Landi, W., Interprocedural aliasing in the presence of pointers, PhD Thesis, The State University of New Jersey, 1992.

  10. Landi, W. and Ryder, B.G., A safe approximate algorithm for interprocedural aliasing, ACM SIGPLAN Not., 1992, vol. 27, no. 7, pp. 235–248.

    Article  Google Scholar 

  11. Livshits, B., Sridharan, M., Smaragdakis, Y., et al., In defense of soundiness: A manifesto, Commun. ACM, 2015, vol. 58, no. 2, pp. 44–46.

    Article  Google Scholar 

  12. Belevantsev, A., Izbyshev, A., and Zhurikhin, D., Monitoring program builds for Svace static analyzer, Syst. Admin., 2017, nos. 7–8, pp. 135–139.

  13. Bush, W.R., Pincus, J.D., and Sielaff, D.J., A static analyzer for finding dynamic programming errors, Software-Pract. Exper., 2000, vol. 30, no. 7, pp. 775–802.

    Article  Google Scholar 

  14. Aiken, A., Bugrara, S., Dillig, I., et al., An overview of the Saturn project, Proc. 7th ACM SIGPLAN-SIGSOFT Workshop Program Analysis for Software Tools and Engineering, 2007, pp. 43–48.

  15. Babic, D. and Hu, A.J., Calysto: Scalable and precise extended static checking, Proc. 30th Int. Conf. Software Engineering, 2008, pp. 211–220.

  16. Koshelev, V., Ignatiev, V., Borzilov, A., and Belevantsev, A., SharpChecker: Static analysis tool for C# programs, Program. Comput. Software, 2017, vol. 43, no. 4, pp. 268–276.

    Article  Google Scholar 

  17. Mulyukov, R.R. and Borodin, A.E., Using unreachable code analysis in static analysis tool for finding defects in source code, Tr. Inst. Sist. Program. Ross. Akad. Nauk (Proc. Inst. Syst. Program. Russ. Acad. Sci.), 2016, vol. 28, no. 5, pp. 145–158. https://doi.org/10.15514/ISPRAS-2016-28(5)-9

  18. Tizen 6.0 Public M2 Release. https://www.tizen.org/blogs/bighoya/2020/tizen-6.0-public-m2-release-0. Accessed January 15, 2021.

  19. Black, P.E., Juliet 1.3 test suite: Changes from 1.2, US Department of Commerce, National Institute of Standards and Technology, 2018.

  20. Juliet test suite v1.2 for C/C++ user guide, Center for Assured Software, National Security Agency, 2012.

Download references

Funding

This work was supported by the Russian Foundation for Basic Research, project no. 20-01-00581 А.

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to A. E. Borodin, A. V. Goremykin, S. P. Vartanov or A. A. Belevantsev.

Additional information

Translated by Yu. Kornienko

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Borodin, A.E., Goremykin, A.V., Vartanov, S.P. et al. Searching for Taint Vulnerabilities with Svace Static Analysis Tool. Program Comput Soft 47, 466–481 (2021). https://doi.org/10.1134/S0361768821060037

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1134/S0361768821060037

Navigation